arrow_back

Prisma Cloud: Protect your Cloud Instance with Host Defender

Partecipa Accedi

Prisma Cloud: Protect your Cloud Instance with Host Defender

1 ora 30 minuti 1 credito

This lab was developed with our partner, Palo Alto Networks. Your personal information may be shared with Palo Alto Networks, the lab sponsor, if you have opted in to receive product updates, announcements, and offers in your Account Profile.

GSP838

Google Cloud self-paced labs logo

Overview

Prisma Cloud provides comprehensive visibility and threat detection for cloud workload. Prisma Cloud software consists of two components: Console and Defenders. There are a number of Defender types. For this lab we will focus on the Securing Compute Engine instances with the Prisma Cloud Host Defender. The Console is Prisma Cloud's management interface where you manage the Host Defenders you will be deploying in this lab. The Console also allows you to define security policies and monitor your environment. Host Defender is deployed to each Compute Engine instance to secure the cloud workload deployed. The Host Defender protects your environment according to the security policies configured in the Prisma Cloud Console.

In this lab, you will use Prisma Cloud Host Defender to protect your Compute Engine Instances.

What you'll do:

  • Deploy Prisma Cloud Compute on a Google Kubernetes Engine (GKE) Cluster

  • Deploy Host Defender to Compute Engine Instances.

Setup and and requirements

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

  • Access to a standard internet browser (Chrome browser recommended).
Note: Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.
  • Time to complete the lab---remember, once you start, you cannot pause a lab.
Note: If you already have your own personal Google Cloud account or project, do not use it for this lab to avoid extra charges to your account.

How to start your lab and sign in to the Google Cloud Console

  1. Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is the Lab Details panel with the following:

    • The Open Google Console button
    • Time remaining
    • The temporary credentials that you must use for this lab
    • Other information, if needed, to step through this lab
  2. Click Open Google Console. The lab spins up resources, and then opens another tab that shows the Sign in page.

    Tip: Arrange the tabs in separate windows, side-by-side.

    Note: If you see the Choose an account dialog, click Use Another Account.
  3. If necessary, copy the Username from the Lab Details panel and paste it into the Sign in dialog. Click Next.

  4. Copy the Password from the Lab Details panel and paste it into the Welcome dialog. Click Next.

    Important: You must use the credentials from the left panel. Do not use your Google Cloud Skills Boost credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.
  5. Click through the subsequent pages:

    • Accept the terms and conditions.
    • Do not add recovery options or two-factor authentication (because this is a temporary account).
    • Do not sign up for free trials.

After a few moments, the Cloud Console opens in this tab.

Note: You can view the menu with a list of Google Cloud Products and Services by clicking the Navigation menu at the top-left. Navigation menu icon

Connect to the Kubernetes Cluster

A Kubernetes cluster has been provisioned so you can get started with your lab.

From the Navigate menu, go to Kubernetes Engine > Clusters.

ae6c6fabb199798f.png

You may have to wait for your Kubernetes Cluster. You should see a green check mark next to the cluster named k8-cluster. Click the Connect button which will launch an option to run Cloud Shell.

30518150403c8f2.png

Click Run in Cloud Shell.

fd530c792e1eafe2.png

Cloud Shell will launch below the Cloud Console. Now click Continue.

90b5b73d27d5de3a.png

This will take a few moments as this is a persistent image (container) giving full shell access to your project. It comes with a number of useful tools pre-installed, such as Terraform. In a production environment, the best reason to use Cloud Shell vs. your own laptop shell is that you do not have to worry about storing authentication tokens. Cloud Shell automatically inherits all permissions from your account.

Press Enter in Cloud Shell to run the pre-populated gcloud command.

Click Authorize.

Install Prisma Cloud Compute

From Cloud Shell execute the following commands.

  1. Download and install the latest Prisma Cloud Compute Console software image and then decompress the file:

curl -O https://cdn.twistlock.com/releases/f7371a8b/prisma_cloud_compute_edition_20_09_345.tar.gz mkdir prisma_cloud_compute_edition tar xvzf prisma_cloud_compute_edition_20_09_345.tar.gz -C prisma_cloud_compute_edition/ cd prisma_cloud_compute_edition
  1. Retrieve the Token from the Qwiklabs start page under Student Resources (see screenshot below) to create the Prisma Cloud Compute console. Click Token and the link will open a new tab in the browser.

414677ea0b001e0d.png

You will be asked for the Token you just retrieved, leave this tab open.

  1. Execute the following command to generate the YAML file for the Prisma Cloud Compute Console:

./linux/twistcli console export kubernetes --service-type LoadBalancer
  1. Return to the browser where the token is and copy it. Paste the token into Cloud Shell. You will NOT see the token when you paste it into Cloud Shell. Press Enter after the paste and the command will complete.

Your Cloud Shell output should look like this:

e151070ddf302767.png

The script is adding the token to the yaml file for initial authentication.

  1. Now use kubectl to create the twistlock_console:

kubectl create -f twistlock_console.yaml

(Output)

bfe608b1b8885504.png

  1. Run the following command to check and see if the service has come up fully. The command uses a -w flag which means wait. This flag will auto refresh the screen:

kubectl get service -w -n twistlock

The External IP will show once the service is available.

The public IP under the EXTERNAL-IP heading will be used to gain access to the Prisma Cloud Compute Console.

Once you see the EXTERNAL-IP use Ctrl-C to stop the wait flag and return to the command line.

Copy the External IP address for the console. You will use it for testing the connectivity from the hosts.

42989128af42a69b.png

Click Check my progress to verify the objective. Install prisma Cloud Compute

Connect to the console of the lab instances

There are 3 Linux Compute Engine instances pre-deployed in the lab named, jenkins-vm, juice-shop and kali. You are going to deploy the Prisma Cloud Host Defender on these instances.

To find these instances, in the Cloud Console navigate to Compute Engine > Virtual machines > VM instances.

  1. Connect to the instances through the following procedures:

  • SSH to jenkins-vm server by clicking on SSH

  • SSH to juice-shop by clicking on SSH

  • SSH to kali from Cloud Shell with the following command, replacing [external IP of kali]with your external IP.

ssh kali@[external IP of kali]

When asked if you want to connect, type "yes", then use the password: kali .

122b9a49e36664f4.png

  1. Verify that the instances where you will be installing Host Defender can connect to the Prisma Cloud Console. Execute the following curl command from kali, juice-shop and jenkins-vm, replacing [CONSOLE_IP_ADDRESS|HOSTNAME]with the External IP address of the twistlock-console form the previous step:

curl -sk -D - https://[CONSOLE_IP_ADDRESS|HOSTNAME]:8083/api/v1/_ping

The curl will return an HTTP response status code of 200 indicating you have connectivity to the Console.

10ea739ebac897ce.png

  1. Log in to the Prisma Cloud Console by opening a browser window, and browsing to https://[YOUR-EXTERNAL-IP]:8083. By default, the Console uses HTTPS on port 8083.
  2. At the certificate warning, click Advanced, the Proceed to .... link.

93d48b3d44e2ee72.png

  1. Log in with the following credentials:

User:

admin

Password:

Pal0Alt0@123

Then click Create Account.

1f58cf70b0feee39.png

  1. Now click on Key from the Qwiklabs start page under Student Resources to retrieve the license to the Prisma Cloud Compute console.

a84a4a9738ceaef2.png

The link will open a new tab in your browser. Copy the Key.

  1. Paste the license key in the Update field and click Register:

6215d597a33b5e3d.png

Once the key has been registered a first use menu will become available, select the X in the upper right hand corner to exit out.

f030215b97c2b260.png

Deploy the Host Defender

Now you will install the Prisma Cloud Compute Host Defender. Host Defender communicates with the Prisma Cloud Compute Console using Transport Layer Security (TLS). You will update the list of identifiers in Console's certificate that the Host Defenders will use to validate the Console's identity.

  1. Install Prisma Cloud Compute Single Defender. From the Prisma Cloud Compute Console go to Manage > Defenders > Deploy

4b8cdfd860ba021.png

  1. Adding Subject Alternative Names (SAN):

Add the public Console IPaddress to SAN list if you see a baner:

8ecafb76845469a0.png

Or you can add a SAN to Console's certificate directly from Console's web interface.

  • Go to Manage > Defenders > Names.
  • Click Add SAN.
  • Enter a DNS name or Console External IP address.
  • Click Add.

464c7809f9a2d8ae.png

  1. Deploy the Single Defender. In the Console Step 1 the client defender name should be the External IP address of the Prisma Cloud Console. On the same page scroll down the page to Step 2. Select the Defender Type and choose Host Defender - Linux. Then on Step 3 click the Copy button for the Install script.

6f25cf604d16ba71.png

  1. You will paste the install script into Cloud Shell to install the Host Defender to all three linux instances.

7af768b56e36527a.png

Please keep these command shell connections to the three linux instances open, you will issue commands in each of them in later exercises.

  1. In the Prisma Cloud Console, navigate to Manage > Defenders > Manage to see a list of deployed defenders, you will see something similar to the following:

e542d5f7a4a00f8f.png

  1. Navigate to the Radar View on the left menu and select Hosts from the menu. You will see the defender has begun to scan the existing environment and populate the Console with information.

52dd3c90e83552f8.png

Click Check my progress to verify the objective. Deploy the Host Defender

Gain visibility into all applications running on a host

  1. Navigate to Monitor > Runtime > Host Observations, then select jenkins to review the application with multiple processes.

4ab8f81bb11125fc.png

713811f9ce4cc5e3.png

  1. Scroll down to click on twistlock-defender-server to review all of the following information:

  • Enriched information on the application for known applications.
  • Listening ports.
  • Outgoing ports.
  • All processes used including full path, the command used, parent path, user, and when the process was first observed.

c741e9cdb4f0d0e3.png

Gain visibility to hosts exposed to known vulnerabilities

  1. Navigate to Radars > Hosts and click on Jenkins then click on Vulnerabilities to review the Vulnerabilities details.

ead591f05dd4e2c8.png

  1. Click on Package Info.

3fadee85e0e76e13.png

  1. Review the details of the Packages.

d7b2d5bb3017927.png

Close this view.

  1. Review a list of missing security updates via Monitor > Runtime > Host Observations. Open juice-shop and navigate to the Security Updates tab.

e428c311ea1d180d.png

ee4b9329918c8425.png

Close this view when you're finished reviewing.

Protect Host with Runtime Defense

Prisma Cloud secures hosts with file integrity monitoring (FIM); log inspection; application, capability, and activity rules; custom runtime rules; and more, to ensure running workloads are secure. Quickly view all audit or security events with automated, secure forensic data captures. Prisma Cloud provides out of the box easy protection against a large range of attacking tools including crypto miners, exploitation tools, C2 infrastructure, password attacks, sniffing and spoofing tools. The Runtime rules are customizable to protect against any emerging threats or organization specific requirements.

Protect hosts against specific command or domain

In addition to the out of the box protection, you can create a Runtime rule to block execution of a specific command and accessing a domain name.

Create a runtime rule to prevent a process to run

In the Prisma Cloud console, select Defend > Runtime, select the Host Policy tab, click Add rule.

c629eb185312379f.png

Add the Rule name "prevent ls", and select all of the Hosts you want to protect.

b668085b0d00443b.png

On the Processes tab, switch Effect from Alert to Prevent and add the ls command to Prevent processes.

9621e5491d1ab7b3.png

On the Networking tab:

  • Enable DNS
  • Turn Effect to Prevent
  • Add *.google.com to the Prevented domains list

9fbde0c071745dc.png

Click Save.

Execute the command and lookup the domain

You may have to re-log in to kali. If so, use the following command:

ssh kali@[external IP of kali]

password: kali

From kali shell, issue ls command:

ls

the command will be blocked.

9b1c1d4824a5a047.png

Now try a dns lookup:

nslookup www.google.com

The operation will fail.

60aa4e13c20174c1.png

Try lookup for a known good domain:

nslookup www.paloaltonetworks.com

This lookup will succeed.

b63d73730a4d722d.png

Gain visibility to attacks and conduct an investigation

With Host Audits you can see:

  • All audits associated with the incident in the incident explorer page.
  • Forensics data for the incident and explain how everything that occurred during the incident is presented in a timeline view.

In the Prisma Cloud console select Monitor > Events.

Hosts can be filtered by Collections, Hostname, Last Audit.

eac5561db0030ea1.png

At the top, select Host Audits.

Find the events for kali, then click Forensic in the Network row.

4087e711f7cd86c6.png

Uncheck Process spawned and SSH event. To only review Runtime audits, find the alerts for blocking ls command and nslookup for www.google.com.

4be2f4e21aae0d1c.png

Remove the process rule that is blocking ls command and the domain rule that is blocking www.google.com, repeat the test.

Close this view when you're finished. Both ls and nslookup should be allowed.

Click Check my progress to verify the objective. Protect Host with Runtime Defense

Monitor Hosts for SSH Access

In the Prisma Cloud console, select Monitor > Runtime, select Host Observations tab, then select kali from the host list.

ccfd219eebf54150.png

Click on the SSH Events tab to review the SSH activities.

explore_kali.png

Monitor Application Logs for Suspicious Activities

Review predefined templates for log inspection policy

In the Prisma Cloud console, select Defend > Runtime, on the Host Policy tab then click Add Rule and add the rule name "ql-nov-10". Select the Log Inspections tab and click on Create from Template.

6de9f64e5e3377cc.png

Review the log inspection template, then click cancel.

76909bf361ec6133.png

Create log inspection policy

Add log path:

/var/log/nginx/access.log

Add inspection expression:

Mozilla

Click Add Rule:

d596c2935ddb1f8c.png

Click Save.

81388384ece495f0.png

Generate Log Inspection Events

Use a web browser to access http://<external IP__ of juice-shop>

Reminder: To obtain the external IP of juice-shop, in the Cloud Console go to Navigation menu > Compute Instance.

365dfadc95442588.png

Create a juice-shop account, then buy some juice to generate traffic to the juice-shop web application.

Now check the access log. In the juice-shop shell, issue the following command:

sudo tail /var/log/nginx/access.log

(Output)

4934d937a312c2f3.png

Note there are multiple matches to the inspection expression "Mozilla".

In Prisma Cloud Console go to Monitor > Events, select Host Log Inspection and review the Host Log Inspection.

3d2cde616bdf5eaa.png

Confirm that the inspection expression matches have triggered Host Log Inspection events.

Monitor suspicious activity on the host based on expected usage

Create rules to monitor Host activities

Prisma Cloud lets you audit security-related activity on hosts protected by Defender. The default host runtime rule alerts on the host activities including user, access, and application activities.

You can create additional runtime rules to control which type of events are captured on which hosts. You will create a rule to monitor Docker commands that alter state: create, run, exec, commit, save, push, login, export, kill, start, stop, and tag.

In Prisma Cloud Console, select Defend > Runtime select Host Policy tab Add Rule, then give the rule name docker.

43760b98d4147692.png

Select the Activities tab, then turn On the switch at Docker commands.

386c345f07de6747.png

Click Save.

Create an Host Activity event

Navigate to the jenkins shell and issue the following commands to create a container:

sudo systemctl start docker docker container create 3ac75179d901

Review Host Activity log

In the Prisma Cloud console Monitor > Events.

48a675b59e6cba56.png

Click on Host Activities, and note the Docker activity entry.

feea120de9ece475.png

Monitor Sensitive Files

Create a Host Defend Runtime File Integrity Rule

In Prisma Cloud console, select Defend > Runtime, select the Host Policy tab, click add rule, and give a rule name "etc". Select the File Integrity tab, leave Effect to Alert selected, then click on Add Rule.

f49e398e6ea92b5b.pngAdd a new file integrity rule with the followings:

  • Path: /etc
  • Write: checked
  • Read: checked
  • Metadata: checked
  • scroll down and click Add File Integrity Rule

75272b89400939ca.png

Click Save to save the file integrity rule.

f19663cf951bff77.png

Create an Host File Integrity event

Navigate to the jenkins host shell and issue the following command to create a container:

sudo nano /etc/resolv.conf

Change the nameserver to 8.8.8.8.

2a43b38d468e1d6.png

Save the changes and exit nano: Ctrl-X > Y.

daeff68b2b34bac.png

Press Enter to save the file.

d56b563448f1f6ea.png

Review Host Activity log

In the Prisma Cloud console select Monitor > Events.

Click on Host File Integrity.

host_file_integrity.png

Click Check my progress to verify the objective. Gain visibility to attacks and conduct an investigation

Congratulations!

You have successfully deployed Palo Alto Networks Prisma Cloud Compute and Host Defender. Through the exercises, you have experienced how Prisma Cloud secures hosts with file integrity monitoring (FIM); log inspection; application, capability, and activity rules; custom runtime rules; and more, to ensure running workloads are secure. Quickly view all audit or security events with automated, secure forensic data captures.

Next Steps / Learn More

End your lab

When you have completed your lab, click End Lab. Your account and the resources you've used are removed from the lab platform.

You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.

The number of stars indicates the following:

  • 1 star = Very dissatisfied
  • 2 stars = Dissatisfied
  • 3 stars = Neutral
  • 4 stars = Satisfied
  • 5 stars = Very satisfied

You can close the dialog box if you don't want to provide feedback.

For feedback, suggestions, or corrections, please use the Support tab.

Manual Last Updated: December 20, 2021
Lab Last Tested: December 20, 2021

Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.